Make sure you know the differences among the various states’ laws, when they go into effect, and whether or not they apply to your particular business.
California’s privacy laws have now been in effect for more than two years, and we are beginning to see the consequences. Earlier this month, the California Attorney General’s office released the situations where various businesses were cited and in some cases fined for violations. It is an interesting report, notable for both its depth and breadth of cases.
The CalAG is casting a wide net, putting on notice various consumer retailers, technology companies, medical devices, financial services, telecommunications, and AdTech firms. For example, it is critical of various loyalty programs which offer financial incentives (a discount on products or reduced prices). If your business collects consumers’ personal information as an incentive to join such a program, you have to state your intentions clearly or risk a fine.
Also, website construction is critical, particularly when it comes to how a business states its privacy policies and ways that consumers can interact with the business. This means having a Do Not Sell My Personal Information link that is clearly stated (and is tested across multiple web browsers too) and ways to opt out of campaigns, along with a functioning consumer privacy portal.
Some businesses have fixed their problems (the California law allows for a month once notified), which is good news for all of us and evidence that these laws are working to improve consumers’ data privacy. So far one business has reached a settlement. Sephora agreed to pay over a million dollars as documented here. Sephora was cited because it failed to disclose that it was selling their customers’ private data and didn’t fix the problem within the month timeframe. There are various reports it has to provide the CalAG and other remedies as a result of their settlement.
One of the items mentioned in the CalAG report is the Global Privacy Control (GPC). This is one of numerous browser extensions that allow consumers to opt out of data collection efforts, and grew out of efforts from the New York Times, the Electronic Frontier Foundation, Consumer Reports and several privacy-oriented vendors. California picked this up from the EU’s Global Data Protection Regulations, and more than 50M users have installed one of these extensions on their browsers.
In the past two years, a number of states have enacted their own legislation. Our most recent update in April outlines these developments, including further refinements to existing privacy laws in Virginia. (We've also written more about privacy laws, including an earlier 2022 post and a 2021 post.) Since then, Connecticut became the fifth state to enact its privacy law earlier this summer, and several other states (Michigan, Ohio, Pennsylvania, New Jersey, Massachusetts and Washington, DC) still have various bills in motion. However, take these latter efforts as tentative: earlier bills in previous legislative sessions in Iowa, Indiana and Oklahoma died and haven’t been reintroduced. And California has not made it any easier for businesses to comply: the legislature failed to amend its privacy laws, as this analysis examines.
Takeaways for your business
What are some takeaways from the CalAG report? “Now is the time to re-evaluate your privacy disclosures for accuracy, confirm your rights request processes are in place and up to date, and assess whether your websites and mobile apps contain third-party trackers and other adtech solutions are configured appropriately,“ said Husch Blackwell’s David Stauss. These rights are extensive, so re-read the cases cited by the CalAG if not the entire corpus of laws that have been enacted so that you are aware of the depth of information that you need to provide online, as well as where your own business practices intersect with the laws.
It is also clear that the CalAG, at least, is actually carefully scrutinizing websites of businesses. Make sure you test your various opt-out mechanisms that they work properly, and that privacy data is actually removed fully from your databases. If you have a “do not sell” link, make sure to test it across all of your web properties. If you do receive a notice of noncompliance, keep track of the calendar and fix the problem promptly.
Finally, make sure you know the differences among the various states’ laws, when they go into effect, and whether or not they apply to your particular business. Two of the best sources for tracking these efforts are David Stauss at Husch Blackwell and WireWheel’s privacy law comparison analyzer.